__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
New Worms and Helpful Computer Users
September 18, 2003 22:00 GMT Number N-153
______________________________________________________________________________
PROBLEM: A new worm named Swen appeared this morning masquerading as a
patch for a Microsoft Windows patch. The spread of the worm is
being helped along by computer users who dutifully install the
patch (worm) and pass it on.
PLATFORM: Windows
DAMAGE: Helpful users install and pass on the worm.
SOLUTION: 1. Keep your antivirus software up to date.
2. Do not execute attachments that you are not expecting.
3. Do not install patches received as e-mail attachments.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. Current viruses and worms install backdoors
ASSESSMENT: in systems that allow remote intruders to take over and use
those systems. Usage includes spying, industrial espionage,
e-mail spamming, creation of porno sites, proxy servers, etc.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-153.shtml
BACKGROUND: http://www.computerworld.com/securitytopics/
security/story/0,10801,84214,00.html
http://office.microsoft.com/assistance/Preview.aspx?
AssetID=HA010550011033&CTT=6&Origin=EC010553071033
______________________________________________________________________________
A new worm named W32.Swen.A@mm appeared this morning masquerading as a patch
for a Microsoft vulnerability. The e-mail appears to come from security at
Microsoft and has an attached executable file that is supposed to be a patch
for the vulnerability. In fact, the patch is the virus and double clicking
on the patch installs the virus on your system.
A few copies managed to get into at least one site before e-mail virus
scanners were updated. While this in itself is not noteworthy (we see new
worms appearing almost daily) we would like to reiterate to DOE computer users
three security items.
1. Keep your antivirus scanners up to date.
2. Do not execute attachments you are not expecting especially if those
attachments are executables.
3. Do not install patches or updates sent as attachments to e-mail
messages.
Keep Your Antivirus Scanners Up To Date
=======================================
Anitvirus scanners must be kept up to date. You should update your scanners
on a weekly basis to insure that you have the most up-to-date virus
definitions. If you hear of a new virus making the rounds, update your
antivirus definitions immediately before reading mail or downloading any
files. Most scanners can be set to automatically update themselves on a
regular schedule. Don’t depend on corporate antivirus scanners to protect you
as new malicious code can sneak by them before new scan signatures are
available.
Do Not Execute Attachments You Don’t Expect
===========================================
One of the most common methods for the current viruses and worms to spread is
as e-mail attachments. If you get an attachment from someone, even someone you
know, don’t simply double click on it to see what it is. Virus scanners can
miss things or be out of date for a while such as the when a new worm hits so
you must be on the alert for malicious code that gets past them.
Before opening an attachment, determine if it is a document or picture, or if
it is an executable file, batch file, or script file. On Windows systems the
file type is determined by the file extension. The extensions for files that
can execute code are:
.ade, .adp, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .hta, .inf,
.ins, .isp, .js, .jse, .lnk, .mdb, .mde, .msc, .msi, .msp, .mst, .pcd, .pif,
.reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh
(See the following article for more information on these types:
http://office.microsoft.com/assistance/preview.aspx?
AssetID=HA010550011033&CTT=6&Origin=EC010553071033
To see file extensions, you must turn off the explorer option “Hide extensions
for known file types.”
To turn it off,
1. Open a file explorer window.
2. Choose Tools, Folder Options, View tab.
3. Uncheck Hide file extensions for known file types.
4. Click OK.
Some malicious code tries to hide the file type by using a double extension.
For example, mypictures.jpg.exe appears to be a picture file (.jpg). This is
especially true if “Hide file extensions for known file types” is checked, in
which case you will only see the .jpg extension. Be sure you can see
extensions and look at the right-most extension as that is the one that is the
true file type. Look also at the icon as it is determined by the file type and
the application used to open that file.
The .lnk file type is always hidden, even when you uncheck “Hide file
extensions for known file types.” Look at the icon displayed for the file. If
it is a .lnk file the icon has a square box containing a bent arrow
superimposed on the lower-left corner of the icon. For example, the following
icon is a link to a spreadsheet.
<<n-153.jpg>>
You can also right click on the file and select properties. On the General tab
the Type of File is Shortcut. Normally, .lnk files are links to other files
but if they are executable code instead of a link, they run when double
clicked.
Do Not Install Patches and Updates Received Via E-mail Attachments
==================================================================
Software vendors, antivirus vendors, and incident response teams (such as
CIAC) do not send patches as attachments to e-mail messages. All will send
messages describing the problem and then provide an online link where you can
go to get and verify a patch or update. Be sure you check the link to be sure
it is really the company you want to get the patch from. Better yet, type the
url for the company yourself instead of clicking on the link. We have seen
links in fraudulent messages that look like the following:
http://www.paypal.com@az.ru
You might think that this is a link to www.paypal.com but it is not. In this
case, www.paypal.com is the username at the az.ru site.
Conclusions
===========
As we stated in the beginning, a new worm has been seen that is entering sites
via an e-mail attachment. While this is not a unique event, it is a good time
to review what you should do when you receive a file with an attachment.
Remember:
1. Keep your antivirus up to date.
2. Don’t run attachments you are not expecting.
3. Don’t install patches and updates that are e-mail attachments.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-144: Microsoft Visual Basic Buffer Overrun Vulnerability
N-145: Microsoft Access Snapshot View Buffer Overrun Vulnerability
N-146: Apache 2.0.47 Release Fixes Security Vulnerabilities
N-147: Hewlett Packard Potential Security Vulnerability B.11.11 DCE
N-148: Sun Security Issue Involving the Solaris sadmind(1M) Daemon
N-149: Sendmail 8.12.9 Prescan Bug
N-150: Red Hat Updated KDE packages fix security issues
N-151: OpenSSH Buffer Management Error
N-152: Real Networks Streaming Server Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
